The intelligence in this week’s iteration discuss the following threats: Botnet, Cryptocurrency miner, Cyber espionage, Ransomware, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Android Devices Targeted by New Monero-Mining Botnet (February 5, 2018)
Android devices such as smartphones, smart televisions, and television are being targeted by a new Monero cryptocurrency mining botnet that first appeared on February 3, 2018, according to Qihoo 360 researchers. The botnet, dubbed “ADB.miner,” is targeting port 5555, Android’s Debug Bridge (ADB), and appears to have infected approximately 7,400 devices at the time of this writing. Researchers have not stated specifically how the botnet is utilizing an ADB vulnerability to infect Android devices. Android devices come with port 5555 disabled by default, so the devices that have been infected and are being targeted are those in which individuals have manually enabled port 5555.Click here for Anomali recommendation

Attackers Exploiting Unpatched Flaw in Flash (February 2, 2018)
Adobe has issued a security advisory regarding a vulnerability, registered as “CVE-2018-4878,” that affects Adobe Flash Player version 28.0.0.137 and all earlier versions. Threat actors have been observed exploiting this vulnerability in the wild via Microsoft Office documents with embedded malicious Flash content. Additional information on this vulnerability has not yet been made available because a patch has not yet been issued.Click here for Anomali recommendation

DDG, The Second Largest Mining Botnet Targets Redis and OrientDB Servers (February 2, 2018)
Qihoo 360 Netlabs researchers have published information regarding a new cryptocurrency-mining campaign driven by the “DDG” botnet. DDG was first discovered in 2016 and is currently believed to be the second largest mining botnet behind only the “Smominru” botnet. Researchers state that DDG has infected approximately 4,000 “OrientDB” and “Redis” servers. To compromise the servers, the actors behind the botnet are exploiting the remote code execution vulnerability registered as “CVE-2017-11467” to compromise OrientDB servers, and brute force attacks to compromise Redis servers. Researchers identified three wallets that appear to be associated with DDG mining operations. It is unclear how much cryptocurrency was mined because of inconsistencies in some of the wallets, but the amount of Monero that has been mined is either 3,395 ($748,359.85 USD) or 5,760 ($1,269,676.80 USD).Click here for Anomali recommendation

Meltdown/Specter-based Malware Coming Soon to Devices Near You, Are You Ready? (February 1, 2018)
Security researchers have discovered that threat actors are creating malware designed to exploit the recently discovered vulnerabilities located in processors used in millions of devices around the world. The vulnerabilities, dubbed “Meltdown” and “Specter,” affect processors from AMD, ARM, and Intel, and are located in various devices such as computers, servers, and smartphones, among others. If exploited, the vulnerabilities could allow an actor to “bypass memory isolation mechanisms and access everything, including memory allocated for the kernel containing sensitive data like passwords, encryption keys and other private information.”Click here for Anomali recommendation

Malicious Chrome Extensions Found in Chrome Web Store, Form Droidclub Botnet (February 1, 2018)
A new botnet, dubbed “Droidclub,” is infecting browsers via malicious extensions in the Google Chrome Web Store, according to Trend Micro researchers. At the time of this writing, approximately 500,000 downloads of malicious extensions associated with Droidclub have taken place. The extensions are capable of injecting advertisements and cryptocurrency mining code into websites that an infected machine visits. The threat actors behind this campaign use malvertisements to promote downloads of the malicious extensions.Click here for Anomali recommendation

Smominru Monero Mining Botnet Making Millions for Operators (January 31, 2018)
A “Monero” cryptocurrency mining botnet called “Smominru” has been using the “EternalBlue Exploit” to infect machines around the globe since May 2017, according to Proofpoint researchers. The botnet is using the combined computing power to mine Monero on a significant scale. Overall, researchers believe that this botnet has mined approximately 8,900 Monero worth approximately $2.4 million USD at the time of this writing. Proofpoint worked with abuse[.]ch and the ShadowServer Foundation. Together they discovered that at least 25 actor-controlled hosts were actively attempting to use EternalBlue to infect new nodes. Researchers identified that the botnet consists of approximately 526,000 Windows hosts, of which are believed to consist primarily of servers.Click here for Anomali recommendation

Image Previewer: First Firefox Addon that Injects an In-Browser Miner? (January 31, 2018)
Bleeping Computer researchers have identified a malicious extension for the FireFox web browser called “Image Previewer.” The extension was found to display popups and injecting in-browser cryptocurrency miners into Firefox. Image Previewer is distributed via web sites that promote it as a “Firefox manual update”. If a user installs the extension, it will inject a script tag referencing a remote JavaScript file that will monetize visited sites via popups ; the extension is also capable of link click hijacking and advertisement injection. Additionally, Image Preview will open a webpage within an iframe that contains a setup script for an in-browser Monero cryptocurrency miner.Click here for Anomali recommendation

Critical Oracle Micros POS Flaw Affects Over 300,000 Payment Systems (January 31, 2018)
The Oracle Corporation has released its January 2018 update that addresses 238 vulnerabilities in multiple products. One of the vulnerabilities, registered as “CVE-2018-2636,” affects the company’s “MICROS” Point-of-Sale (POS) systems used by over 300,000 entities around the globe. If exploited, the vulnerability could allow threat actors access to read sensitive information and receive data from other services without authentication from affected MICROS systems. Researchers note that two of the files actors could access after exploitation contain usernames and encrypted passwords which could then be brute force attack them to “gain access to the DB with all business data.” This would result in an entire MICROS system being compromised.Click here for Anomali recommendation

Dridex Gang Follows Trends, Also Created FriedEx Ransomware (January 30, 2018)
The threat group behind the “Dridex” banking trojan is responsible for creating a new ransomware family dubbed “FriedEx,” according to ESET researchers. The researchers point to multiple forms of evidence behind their assessment. Their evidence consists of similarities between Dridex and FriedEx that include the following: same malware packer, same function for generating a “UserID” for an infected system, some Dridex and FriedEx samples have the same compilation date, among others. FriedEx is distributed “via an RDP (Remote Desktop Protocol) brute force attack.”Click here for Anomali recommendation

Dutch Banks, Tax, Agency Under DDoS Attacks a Week After Big Russian Hack Reveal (January 30, 2018)
On January 29, 2018, multiple Dutch entities reported being targeted with Distributed Denial-of-Service (DDoS) attacks. Entities that reported such attacks include three Dutch banks in “ABN AMRO,” “Rabobank,” and “ING Bank.” In addition, the Dutch Taxation Authority, “Belastingdienst,” also reported to have been targeted. These attacks took place between January 27 and January 29. The DDoS attacks reached a peak of 40 gigabits-per-second (Gbps). These attacks prevented users from being able to login to the financial institutions and Taxation Authority web portals. Researchers believe that these attacks may be in response to Dutch intelligence services having compromised a machine operated by the Russian Advanced Persistent Threat (APT) group “Cozy Bear.” The Dutch intelligence services shared information gathered from said machine with the U.S. government regarding Russian malicious activity conducted during the U.S. presidential election.Click here for Anomali recommendation

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability (January 29, 2018)
Cisco has issued a security advisory regarding a vulnerability, registered as “CVE-2018-0101,” that affects the “Secure Socket Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software. The vulnerability could be exploited by a threat actor to allow a reload of the affected or to execute remote code. Cisco notes that there is no workaround for this vulnerability, and the company has issued a patch in response to address the vulnerability that affects 10 Cisco products.Click here for Anomali recommendation

Three Days of Seamless Campaign Rig EK Pushing GandCrab Ransomware (January 29, 2018)
Security researchers have observed the “Seamless” malvertising campaign is distributing a ransomware dubbed “GandCrab” via the Rig Exploit Kit (EK). The ransomware distribution was observed to have begun on January 26, 2018. If a user clicks on a malicious advertisement associated with this campaign, they will be redirected to a landing page that hosts the Rig EK. Researchers identified that Rig was using an Adobe Flash exploit, as is common with exploit kits, to infect user with the GandCrab ransomware.Click here for Anomali recommendation

Hacking Group Spies on Android Users in India Using PoriewSpy (January 29, 2018)
An unnamed threat group, believed to have targeted and victimized government officials in the past, is conducting an espionage campaign targeting Android users in India, according to Trend Micro researchers. The actors are conducting their data-theft activities via malicious applications dubbed “PoriewSpy” that were found in the Google Play store. Researchers believe that the actors created malicious apps with “DroidJack” or “SandroRAT” based similarities on their Command and Control (C2) server. PoriewSpy is capable of stealing information from an infected device such as call logs, contact lists, and SMS messages, among others. DroidJack is even capable of fully taking over an Android device if installed.Click here for Anomali recommendation

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

RIG exploit kit Tool Tip
The RIG exploit kit is a framework used to exploit client side vulnerabilities in web browsers. The RIG exploit kit takes advantage of vulnerabilities in Internet Explorer, Adobe flash, Java and Microsoft Silverlight. The RIG exploit kit was first observed in early 2014. The RIG exploit kit’s objective is to upload malicious code to the target system. The RIG exploit kit is known to distribute ransomware, spambots and backdoors. Victims are redirected to the RIG exploit kit with a landing page coming from malvertising or compromised sites.Tags: RIG, exploitkit

WatchGuard will discontinue offering for sale (EOS) WatchGuard 802.3af PoE Injector for access points on April 1, 2018. At that time, hardware accessory SKU WG8568 will be discontinued and removed from active WatchGuard price lists. Should new orders come in after April 1, 2018, WatchGuard will not accept them if inventory is depleted. As a replacement, WatchGuard has introduced a 802.3at PoE+ Injector for all our access points and it is currently available for shipment. The new 802.3at PoE+ injector is offered in four SKUs for varying power cord options:

Major events like the Winter Olympics attract a lot of attention from fans all around the world. For three weeks fans will watch in person, on televisions, and online to follow the various competitive events. This attention is attractive to advertisers but it’s also attractive to cyber criminals who will inevitably use the Games as lures for phishing and other social engineering campaigns. Threats related to the Winter Olympics go deeper than that, however.

Understanding the threat landscape related to events like the Olympics is one way to proactively identify threats ahead of any related compromise. It’s not hard to assume that phishing attacks will come that use the Olympics as a lure. Anyone who’s been in the security game for any period of time should know that drill pretty well. The more interesting pieces in the landscape puzzle are the sponsors, suppliers, and agencies that make the Olympics happen. A phishing lure to a supplier may not mention the Olympics at all but may instead lean on the relationship it has with another organization. Knowing this kind of attack was coming ahead of time helps organizations understand how to drive specific awareness around it. It also allows security teams to focus energy in places most likely to be impacted by such attacks.

Events like the Olympics are known far in advance. In the case of the 2018 Winter Olympics, the host city was chosen in July 2011. Planning began shortly thereafter with the creation of a coordination commission in August. Within a year of the announcement, activity was well underway to prepare for the Games. Details that trickled out via media stories and press releases could have armed potential attackers with valuable information for delivering targeted attacks long before the Olympics begin.

It is also important for defenders to understand the geopolitical forces at play in the region where the Games will be held. In the case of the Olympics in PyeongChang, the tensions between North and South Korea could play a role in any potential attacks (even if indirectly). North Korea may not have any interest in doing anything to disrupt the games but may be interested in a display of power during or near the timeframe of the Games. Given the recent agreement between North and South Korea regarding North Korea’s planned participation in the games, even this is now less likely. As always however, any entity with interests or activities that relate to South Korea or the Olympics should stay abreast of any changing developments in the region.

Another somewhat obvious angle to be aware of is the Russian doping scandal and expected fallout. Since the International Olympic Committee (IOC) banned Russia from participating in the 2018 Winter Olympics, the Fancy Bears’ Hack Team has released compromised emails and other documents from a number of doping related organizations and even the IOC. Their goal seems to be to exonerate Russia for its doping scandal by exposing what they believe to be similar abuses of banned substances across international athletics. Any organization related to doping, international athletics, or even athletes themselves should be aware of this activity and seek extra protections around their email accounts and sensitive documents.

Awareness is a big step in knowing where to look for attacks and signs of compromise. Understanding the threat landscape and how it changes over time helps keep defensive teams situationally aware and how to position defensive focus.

For a broader look at the threat landscape around the 2018 Winter Olympics in PyeongChang, South Korea, download our 2018 Olympics Report.

WebBlocker Incident Report
Users of the WebBlocker service in Europe experienced an outage late Thursday night that lasted into Friday morning, January 25 – 26, 2018. WatchGuard has worked closely with our partner Forcepoint over the last few days to analyze the failure and to put processes in place to ensure that events like this do not happen again. We are sharing details here so our partners and users are confident that we have addressed this issue.

Background
WebBlocker uses the Forcepoint ThreatSeeker Cloud URL database for web categorization, which is hosted in their ThreatSeeker Cloud Service. The URL database is hosted at 5 different locations around the world. The Firebox selects the appropriate location of the service based on the location of the DNS server that it uses. Unfortunately, there was an outage at the UK server last week that affected HTTPS lookups and led to our service outage. With Fireware version 12.0, WatchGuard switched to using the more secure HTTPS instead of HTTP for web category lookups, so only customers running Fireware version 12.0 or later were affected. Customers all over Europe use the UK server.

Incident Summary & Root Cause Analysis

Incident start time: Thursday January 25 2018 20:49 UTC

Incident end time: Friday January 26 2018 08:35 UTC.

Root Cause: As part of routine maintenance of firewall infrastructure in Heathrow (A) the active Virtual IP for the ThreatSeeker Cloud service was moved to another firewall device. During this process, the firewall for the HTTPS ThreatSeeker Cloud service did not start correctly on the new device. As a result, the ThreatSeeker cloud server in the UK was not accepting HTTPS lookups, causing our service to fail. The unavailability of the HTTPS ThreatSeeker Cloud service in Heathrow (A) was not immediately detected by WatchGuard. Sufficient monitoring was not in place to check for responses to both HTTP and HTTPS requests.

Customer Impact: Users who have the server timeout in WebBlocker configured to deny access would have lost internet connectivity during this period. Users with the alternative “fail open” setting would have seen web connections allowed but no categorization would have been provided.

Incident Tracking: Fireboxes were unable to connect to Heathrow London aka UK (A) ThreatSeeker Cloud service using HTTPS. The incident is tracked on the Forcepoint Cloud status page at https://status.forcepoint.net/ in the ThreatSeeker Cloud section.

Process Updates
Forcepoint has increased monitoring from both HTTP and HTTPS connections to all ThreatSeeker servers around the world. WatchGuard is also planning to put more monitoring in place to supplement the Forcepoint efforts. WatchGuard and Forcepoint have reviewed our support escalation procedures and initiated a process to immediately elevate critical network impacting issues so they get immediate attention.

The new and enhanced monitoring, combined with more streamlined support processes, will ensure this type of incident does not occur again, as well as better and faster escalations should any future issues occur.

On behalf of WatchGuard, we apologize for any inconvenience this has caused our partners and customers.

Unlike any other time, technology is having a tremendous impact on the energy industry. Some of the major trends are in areas we’re familiar with, yet the level of activity has increased dramatically.

We see energy providers increasingly turning to information and communications technology to modernize the grid and improve situational awareness, with the goal of further maximizing the use of operational assets and optimizing the energy value chain. With specific expertise in these areas, we at Intel, along with our energy industry partners, are focused on the following technology trends for 2018:

2. Governments Invest in Green Energy

Countries are making green investment pledges to raise more money for climate action, as seen by commitments made at the Paris Climate Accord and the “One Planet” summit in Paris. Some of these efforts will drive the gasification of the coal industry in the short term and the growth of utility-scale solar and wind generation (off-shore and on-shore) in the long term to reduce the emission of pollutants.

3. Utility Companies Add Batteries to the Grid

Lithium-ion batteries are now a viable option to store energy on the grid, enabling utility companies to take full advantage of renewable energy sources despite their variable, intermittent output. One example is San Diego Gas & Electric (SDG&E), which deployed a 30 MW lithium-ion battery system, capable of storing 120 MWh of energy and serving 20,000 customers for four hours.

4. Electric Vehicle Momentum Accelerates

A lack of ubiquitous and fast charging stations has caused potential electric vehicle (EV) owners to defer their purchase as they may not consider an EV as a replacement of their gasoline powered car. Some automakers and utilities see this as a big opportunity and plan to significantly increase the number of vehicle charging stations. Four automakers started a joint venture, called create Ionity, with plans to install a network of 400 high-power EV chargers across Europe by 2020; and French utility Engie bought Dutch EV-Box, one of Europe’s biggest makers of charging stations.

With EV charging destined to be a huge business opportunity, operators are trying figure out how to best compete in what will be a fiercely competitive market. This requires data collected on EVs (e.g., charge times, tire pressure, and vehicle performance), and consumer behavior and preferences. Early on, some operators may even give consumers free charges in order to get them to opt-into data collection programs. Data privacy will be a critical regulation consideration.

As EVs become more popular, the future of gas-powered vehicles is dimming, as countries such as China and France ready plans to end sales by around 2040. Even sooner, the Paris authorities plan to banish all petrol- and diesel-fueled cars from its city by 2030. This movement will fuel higher technology investment in EVs and charging stations.

5. Energy Production Gets Consumerized

A number of businesses and consumers already have solar panels on rooftops, and microgrids are emerging to give them more control over how they produce, consume, and sell energy. This is a way for companies and homeowners to become their own utility. One example is the Indian government, which is planning to build at least 10,000 renewable-based micro- and mini-grid projects across the country, with the goal of making electricity more reliable for consumers.

6. Distributed Generation Will Improve Grid Reliability

Utilities will integrate into their forecast the output of distributed energy resources (DERs), including distributed generation, distributed storage, electric vehicles, demand response, and microgrids. To maintain the reliability of the grid, it is critically important to monitor all these DERs in order to accurately forecast and respond to changes in energy production and demand. With a more active grid management, mitigation measures against the variability of renewable generation, unplanned outages, unbalanced networks, and excessive peak demand will be addressed using intelligent real-time analytics rather than brute force equipment uprating.

7. Utility Companies Deploy their own Communication Networks

Looking to reduce telco costs and have a dedicated control network, some utility companies will consider deploying their own 5G networks. These network would also allow utility companies to collect their own data wirelessly and generate revenue by selling bandwidth to content providers offering services to the home. Most suited for dense population areas, power-line communication (PLC) that sends data over existing power cables has been used for similar purposes. The combination of PLC and 5G will become an attractive option for utility private communication networks, supporting all their operational and business needs.

In my next blog, I will discuss how new technologies such as the Internet of Things (IoT), real-time networking, virtualization, and deep learning adapted to the grid environment can be designed and deployed to better address these trends.

We are happy to announce the availability of Wi-Fi Cloud 8.5. This latest version of the Wi-Fi Cloud simplifies configuration steps for IT administrators, enhances Wi-Fi service quality in environments with multiple access points (APs) using automatic power optimization, and adds a new cloud integration mode for the AP420 to better support large WIPS sensor overlay deployments.

Automatic Transmit Power Control (TPC)

WatchGuard access points managed by the Wi-Fi Cloud automatically adjust their transmit power levels for optimum levels to avoid interference with each other, which provides a better quality of service for connected users. The new feature requires background scanning to be enabled for 2 radio APs (AP120, AP320, AP322) and is automatically supported with 3 radio APs (AP420).

Consolidated AP Configuration Template

All WatchGuard access point models are now managed with a single AP (device) template in the Wi-Fi Cloud. All device types will be managed through a single configuration within the template, instead of having a separate configuration for each device type. Unique, model-specific attributes are managed with the consolidated template and only used by the AP model to which they apply, saving administrators valuable time.

Cloud Integration Point (CIP) mode for AP420 only

As a reminder, WatchGuard APs can be installed (overlaid) alongside any brand of Wi-Fi access point and configured as WIPS sensors to add additional security protection to an existing Wi-Fi network without having to rip and replace the existing 3rd party APs.

Supported on the AP420, CIP makes managing larger WIPS sensor overlay deployments easier on administrators by integrating with Cisco, Aruba, and HP Wi-Fi controllers to enable Wi-Fi Cloud to fetch information on devices managed by the 3rd party controller. The Wi-Fi Cloud can use this information for Wireless Intrusion Prevention System (WIPS) classification and location tracking of devices.

Integration with Enterprise Security Management servers enables Wi-Fi Cloud to send events and audit logs to these servers, so administrators can use their existing infrastructure to manage Wi-Fi Cloud events and logs.

Access points with active Wi-Fi Cloud subscriptions will need to have their firmware upgraded to 8.5 to leverage these new features. If an automatic firmware upgrade schedule is configured in your Wi-Fi Cloud account, your APs will automatically be upgraded, otherwise please read our help article on updating AP firmware in Wi-Fi Cloud.

When WatchGuard APs are managed with the Wi-Fi Cloud you get strong set-up, management and reporting features including:

The intelligence in this week’s iteration discuss the following threats: APT, Cryptocurrency miners, Phishing, Ransomware, Remote Access Trojan, Targeted attacks, Tax-related malicious activity, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Tax Identity Theft Awareness Week (January 29, 2018)
The United States Computer Emergency Readiness (US-CERT) team has issued a statement regarding “Tax Identity Theft Awareness Week” which is January 29 through February 2. The U.S. Internal Revenue Service (IRS) and other federal agencies are offering information and resources in regard to tax-related threats and scams.Click here for Anomali recommendation

VERMIN: Quasar RAT and Custom Malware Used In Ukraine (January 29, 2018)
A new Remote Access Tool/Trojan (RAT) dubbed “Vermin” has been observed being used by threat actors in combination with the “Quasar” RAT in a campaign that dates back to late 2015, according to Palo Alto Unit 42 researchers. The Vermin RAT is being distributed via malicious Self Extracting (SFX) executables, some of which will display documents that are themed after the Ukrainian Ministry of Defense as Vermin before continuing to execute the RAT. Vermin is capable of stealing various information from an infected machine such as architecture, OS name, local IP address, machine name, and username. Researchers note that Vermin is also capable of installing a keylogger if the malware does not detect an antivirus software on the machine.Click here for Anomali recommendation

Keylogger Campaign Hits Over 2,000 WordPress Sites (January 26, 2018)
Approximately 2,000 WordPress powered websites have been identified to be infected with a keylogger on the backend administrator login page, according to security researchers. On the front end, researchers observed an in-browser cryptocurrency miner. Threat actors are targeting older versions of WordPress websites, or those that are using older themes and plugins that are still vulnerable to known exploits to inject code into the Content Management System source code. Researchers found that actors are injecting malicious code in two parts, the first being the keylogger hosted on a third-party domain, and the second is the JavaScript Monero miner “Coinhive.”Click here for Anomali recommendation

OilRig Uses RgDoor IIS Backdoor on Targets in the Middle East (January 25, 2018)
The Advanced Persistent Threat (APT) group “OilRig” has been observed to be using a new Internet Information Services (ISS) backdoor dubbed “RGDoor,” according to Palo Alto Unit 42 researchers. Researchers believe that OilRig installs RGDoor on a compromised web server to function as a secondary backdoor in case a “TwoFace” webshell used by the group is discovered. At the time of this writing, researchers do not have any HTTP logs that show OilRig interacting with RGDoor, however, researchers did find that RGDoor is written in the programming language C++. This means the backdoor will result in a Dynamic Link Library (DLL), inside of which researchers found a function named “RegisterModule.” This led researchers to believe that the DLL “used as a custom native-code HTTP module that the threat actor would into ISS.”Click here for Anomali recommendation

Large Scale Monero Cryptocurrency Mining Operation using XMRig (January 24, 2018)
Palo Alto Networks Unit 42 researchers have discovered a significant cryptocurrency mining campaign that is primarily targeting individuals in Asia, northern Africa, and South America. Researchers believe that as many as 30 million people have been infected with the open-source cryptocurrency mining software “XMRig” that is used to mine “Monero.” Threat actors are using Virtual Basic script (VBS) files and URL shortening services to install and execute the XMRig payload. Researchers observed the actors are presenting users with Adf.ly (URL shortening service that pays URL owner every time URL is clicked) links that will automatically download XMRig on to the machine.Click here for Anomali recommendation

Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA (January 24, 2018)
The Advanced Persistent Threat (APT) group “Lazarus Group” has been observed conducting a new campaign with the objective of stealing cryptocurrencies, according to Trend Micro researchers. The specific cryptocurrencies Lazarus Group is targeting is Bitcoin (BTC) and Ant Share (NEO). To target cryptocurrencies, the group is distributing lure documents such as Microsoft Office documents with malicious macros, Microsoft Compiled HTML Help (CHM) files, and script downloaders to infect users with a new version of the “RATANKBA” backdoor. RATANKBA is able to receive and execute commands and steal data from an affected machine. RATANKBA has been observed to be transferring shares of NEO to a different wallet, as well as mining NEO on an infected machine. of This version of RATANKBA is written in PowerShell to make it more difficult to detect.Click here for Anomali recommendation

New Hide ‘N Seek IoT Botnet Using Custom-Built Peer-to-Peer Communication Spotted in the Wild (January 24, 2018)
A new Internet-of-Things (IoT) botnet, dubbed Hide ‘N Seek (HNS), has added been observed infecting devices beginning in January 2018, according to Bitdefender researchers. The botnet was first observed January 10 and slowly ceased activity the next several days. Researchers then observed HNS on January 20 and noticed that its creators had “significantly improved” it. HNS spreads like a work via a technique that randomly generates IP addresses to identify possible targets. In addition, HNS can conduct web exploitation via the “Reaper” exploit, registered as CVE-2016-10401. Furthermore, HNS is capable of stealing data and executing arbitrary code on an affected device.Click here for Anomali recommendation

Severe Electron Framework Vulnerability Impacts Apps Like Skype and Slack (January 23, 2018)
Researchers have discovered that the application writing platform “Electron” is affected by a remote code execution vulnerability. The vulnerability, registered as “CVE-2018-1000006,” affects Electron applications only if they are running on Windows and “register themselves as the default handler for a protocol like “mayapp://.” MacOS and Linux applications are not affected by this vulnerability. Some popular applications that are affected by this vulnerability are Discord, Signal, and Skype.Click here for Anomali recommendation

SamSam – The Evolution Continues Netting over $325,000 in 4 Weeks (January 22, 2018)
Cisco Talos researchers and Incident Response Services have published a report discussing a new variant of the “SamSam” ransomware. SamSam has targeted multiple industries including government, healthcare, and Industrial Control Systems. This variant’s encryption process is the same as previous versions, however, the actor(s) behind the malware have added new string obfuscation and anti-analysis techniques to make detection more difficult. Researchers note that the infection vector for this SamSam variant is currently unknown and that investigation into the matter is ongoing. However, researchers do note that SamSam targeted JBoss hosts in 2016, and that this campaign the actor(s) may have used compromised RDP/VNC servers to gain an initial foothold.Click here for Anomali recommendation

Fireware 12.1.1 and DNSWatch
Recently WatchGuard announced the acquisition of Percipient Networks, a developer of an easy-to-deploy, security-focused Domain Name System (DNS) service, previously known as Strongarm. We’re excited to announce that the first step in the integration of their solution will take place this week when we release the Fireware 12.1.1 Beta. The new service, DNSWatch, monitors outbound DNS requests and blocks traffic to websites based on a list of known malicious domains.

More than just a filter, DNSWatch was architected to facilitate maximum user and IT admin education. Rather than just blocking traffic to potentially malicious sites, the service redirects users to a ‘blackhole’ where additional information about the attack is collected, and the user is presented with educational materials aimed at preventing future attacks. Just like APT Blocker, the service will be super simple to configure just by checking a box. We’ll take care of the necessary DNS forwarding and Dynamic DNS for changing IP addresses.

Sounds great, where do I get it?
This will be a public Beta, open to all users and we expect it to be available to all by Feb 2nd. If you have not participated in a WatchGuard Beta before, you can sign up at our support page. We’ll also email all previous Beta testers about the new opportunity. We’ll have more information about the service and some other features in 12.1.1 at the Beta site.

How do I get license?
This week, we will add the service to the feature key of all Not for Resale (NFR) units used by our partners, so we expect to see some great Beta participation from our partner community. Users that wish to participate in the Beta of the new DNSWatch service can use the free trial option that is now available at the product details page for all Firebox appliances. Before we GA Fireware 12.1.1 in mid-March, we will add DNSWatch to the feature key for all appliances with a current TotalSecurity Suite.

Remember that we are still a couple of days away from the Beta. Please don’t contact WatchGuard yet about getting software or feature keys in the NFR.

In 2018, smart building technologies that increase energy efficiency will continue to be at the top of the list for building managers and tenants. These technologies can generate a solid ROI by lowering utility bills, making the investment easier to justify.

In addition to energy management, there is growing demand for solutions to address new government initiatives, and integrated security and safety systems. These requirements will help the global Internet of Things (IoT) for intelligent buildings market to grow at a compound annual growth rate (CAGR) of 15.0 percent, from $6.3 billion (USD) in 2017 to $22.2 billion in 2026, according to a Navigant Research forecast.

Once this infrastructure is in place, what else can you do with it? Improving asset management and increasing occupant comfort can often piggyback on the investments made to curb energy usage. Intel, along with our partners, see the industry finding synergistic ways to use smart building technology. Here are some technology trends we’re following in 2018:

1. The next wave of energy efficiency is coming

Early investments in smart building technology focused on the low hanging fruit, like upgrading HVAC units and transitioning from incandescent and fluorescent bulbs to LED lighting. Now, organizations are going to the next level with room-by-room lighting control, dynamic temperature control, pre-heated/pre-cooled buildings based on traffic, and other fine-tuning measures. Energy management solutions will incorporate more sensing technology and integrate multiple data sources to improve decision making. With the transition to LED lighting, organizations are going further than bulb replacement, adding building intelligence via sensors mounted in lighting fixtures. The sensors can connect to a gateway or network via a low-rate wireless personal area network (e.g., 802.15.4) or power over Ethernet (PoE). One building at a time, Intel is retrofitting lighting fixtures to sense ambient light and room occupancy and ultimately conserve more energy.

2. OT/IT convergence reduces operations costs

Many smart building solutions are looking more like IT systems, incorporating information technology (IT), like wireless networks and standard communications protocols. This transition is driving convergence of IT and operational technology (OT). Convergence enables these groups to lower operations costs by eliminating redundancy through collaboration on security, networking, and storage infrastructure; customer support; data analysis and reporting; etc.

3. Improved asset management increases ROI

Cameras that count people in buildings can also be used to help maximize the utilization of assets, like work cubicles. This is done at Intel, where camera data is sent to a conference scheduling application that can tell employees which cubicles are unassigned and available for use. Smart building technology is also being used to reduce operations costs and increase building performance through predictive maintenance. Sensor data is analyzed in the cloud by machine learning algorithms that determine the health of a piece of equipment, like a pump, compressor, or HVAC. The algorithms can differentiate normal wear from problematic behavior for individual pieces of equipment. Predictive maintenance solutions empower companies to make quicker, more informed decisions with help from big data analytics and alerts.

4. Cost-effective BMS solutions for small to medium-sized buildings

Technology advancement, like the Internet of Things (IoT) and low-cost sensors, is bending down the cost curve for building management systems (BMS). We are at the point where smart building technology can be affordably installed and managed in small to medium-sized buildings. Prescriptive Data offers such a solution, called NANTUM, a cloud-based, secure building operating system that integrates into any built space, including BMS and non-BMS facilities. The solution helps optimize energy consumption and increase tenant comfort, while providing cost savings. NANTUM learns the rhythm of existing building systems, memorizing today’s operations so that it can positively influence, predict, and prescribe tomorrow’s performance.

5. Occupants get more control over their environment

Temperature variation throughout the day is a common complaint of building occupants and, most likely, impacts their productivity. A study shows a socially-driven HVAC at the Federal Building and U.S. Courthouse in Phoenix increased worker satisfaction with workplace thermal comfort by 83 percent, which should translate into higher productivity and fewer tickets the facilities team needs to address related to occupants being too hot or too cold.

To maintain a constant temperature across various building zones, Intel implemented a machine learning algorithm that predicts appropriate set points for the HVAC in the building. The algorithm not only factors in typical parameters (e.g., return air temperature), it takes into account many others, including occupancy, and ambient temperature. This algorithm runs every two minutes to keep set point predictions current.

6. Buildings become energy assets in their community

Cities and grids are starting to view connected buildings with energy-generation capabilities (i.e., rooftop solar panels) as energy assets. These highly energy-efficient, net zero energy buildings are seen as contributing to society by producing as much energy as they consume.

In my next blog, I will discuss how new technologies, such as IoT and deep learning, can be designed and deployed to better address these building trends.

Firedot Highlight Reports

Getting threat intelligence into your existing security products – SIEMs, endpoints, network tools — can significantly enhance their effectiveness. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer. Recently we launched a feature that allows you to create your own threat […]

The intelligence in this week’s iteration discuss the following threats: Compromised server, Cryptocurrency miner, Data theft, Malspam, Phishing, Targeted attacks, Underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity. Trending Threats Olympic Destroyer Takes Aim At Winter […]

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence […]

My name is Teddy Powers. I have worked for Anomali (formerly ThreatStream) for almost the last three years and it’s been one of the best experiences of my life. But if you looked at my résumé or LinkedIn, much like anyone else, you’d do a double take. How in the world did he score a […]

North Korea, or more formally, the Democratic People’s Republic of North Korea (DPRK), is no stranger to international headlines. Most notably, it has captured attention in recent years for its nuclear testing and ballistic missile launches. Events in the cyber landscape have brought negative attention to North Korea as well. The United States officially blamed […]